CSC - Cybersecurity Compliance NIST Risk Management Framework Questions and Answers

Question 1

A federal agency is deploying a new information system that will process, store, and transmit personally identifiable information (PII).
According to the NIST Risk Management Framework (RMF), which of the following steps must be completed FIRST to determine the necessary level of security controls?

Accepted Answer

Categorize the information system based on impact.

Answer

Implement a baseline set of security controls.

Answer

Authorize the system for operation.

Answer

Assess the security controls for effectiveness.

Question 2

Which step of the NIST Risk Management Framework (RMF) involves a formal, risk-based decision by a senior official to permit the operation of an information system?

Accepted Answer

Authorize

Answer

Assess

Answer

Monitor

Answer

Implement

Question 3

A financial institution is implementing the NIST RMF. During the 'Select' step, the security team identifies a set of controls that are applicable to multiple information systems across the enterprise. What is the correct term for these types of controls?

Accepted Answer

Common controls

Answer

System-specific controls

Answer

Hybrid controls

Answer

Compensating controls

Question 4

As part of the ongoing maintenance of a system's security posture under the NIST RMF, an organization continuously tracks changes, conducts ongoing security assessments, and reports on the security state of the system. Which RMF step are these activities most characteristic of?

Accepted Answer

Monitor

Answer

Prepare

Answer

Assess

Answer

Authorize

Question 5

Which of the following best describes the primary purpose of the 'Prepare' step in the NIST Risk Management Framework (RMF)?

Accepted Answer

To establish the context and foundation for managing security and privacy risk at both the organization and system levels.

Answer

To select and tailor the security controls for a specific information system.

Answer

To conduct a technical assessment of the implemented security controls.

Answer

To formally accept the risk of operating an information system and grant it an Authorization to Operate (ATO).

Question 6

A compliance analyst is reviewing documentation for a system that has just completed the 'Assess' step of the NIST RMF. Which of the following documents would be a primary output of this step?

Accepted Answer

Security Assessment Report (SAR)

Answer

System Security Plan (SSP)

Answer

Plan of Action and Milestones (POA&M)

Answer

Authorization to Operate (ATO) letter

A federal agency is deploying a new information system that will process, store, and transmit personally identifiable information (PII).According to the NIST Risk Management Framework (RMF), which of the following steps must be completed FIRST to determine the necessary level of security controls?

A federal agency is deploying a new information system that will process, store, and transmit personally identifiable information (PII).
According to the NIST Risk Management Framework (RMF), which of the following steps must be completed FIRST to determine the necessary level of security controls?